extra paranoia for malloc(3):

Move all runtime options into a structure that is made read-only
(via mprotect) after initialisation to protect against attacks that
overwrite options to turn off malloc protections (e.g. use-after-free)

Allocate the main bookkeeping data (struct dir_info) using mmap(),
thereby giving it an unpredictable address. Place a PROT_NONE guard
page on either side to further frustrate attacks on it.

Add a new 'L' option that maps struct dir_info PROT_NONE except when
in the allocator code itself. Makes attacks on it basically impossible.

feedback tedu deraadt otto canacar
ok otto

1 files changed, 9 insertions, 2 deletions

diff --git a/lib/libc/stdlib/malloc.3 b/lib/libc/stdlib/malloc.3
index edcd748ed97..2458834302f 100644
--- a/lib/libc/stdlib/malloc.3
+++ b/lib/libc/stdlib/malloc.3
@@ -30,9 +30,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"	$OpenBSD: malloc.3,v 1.58 2008/11/26 12:06:54 pedro Exp $
+.\"	$OpenBSD: malloc.3,v 1.59 2008/12/29 22:25:50 djm Exp $
 .\"
-.Dd $Mdocdate: November 26 2008 $
+.Dd $Mdocdate: December 29 2008 $
 .Dt MALLOC 3
 .Os
 .Sh NAME
@@ -249,6 +249,13 @@ Currently junk is bytes of 0xd0 when allocating; this is pronounced
 .Dq Duh .
 \&:-)
 Freed chunks are filled with 0xdf.
+.It Cm L
+.Dq Lock .
+Lock critical data structures using
+.Xr mprotect 2
+to protect against modification except by
+.Nm
+and related routines.
 .It Cm P
 .Dq Move allocations within a page.
 Allocations larger than half a page but smaller than a page